diff options
Diffstat (limited to 'sshd.0')
| -rw-r--r-- | sshd.0 | 50 |
1 files changed, 24 insertions, 26 deletions
| @@ -21,7 +21,7 @@ DESCRIPTION | |||
| 21 | sshd works as follows: | 21 | sshd works as follows: |
| 22 | 22 | ||
| 23 | SSH protocol version 1 | 23 | SSH protocol version 1 |
| 24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- | 24 | Each host has a host-specific RSA key (normally 2048 bits) used to iden- |
| 25 | tify the host. Additionally, when the daemon starts, it generates a | 25 | tify the host. Additionally, when the daemon starts, it generates a |
| 26 | server RSA key (normally 768 bits). This key is normally regenerated ev- | 26 | server RSA key (normally 768 bits). This key is normally regenerated ev- |
| 27 | ery hour if it has been used, and is never stored on disk. | 27 | ery hour if it has been used, and is never stored on disk. |
| @@ -200,8 +200,7 @@ LOGIN PROCESS | |||
| 200 | 200 | ||
| 201 | 1. If the login is on a tty, and no command has been specified, | 201 | 1. If the login is on a tty, and no command has been specified, |
| 202 | prints last login time and /etc/motd (unless prevented in the | 202 | prints last login time and /etc/motd (unless prevented in the |
| 203 | configuration file or by $HOME/.hushlogin; see the FILES sec- | 203 | configuration file or by ~/.hushlogin; see the FILES section). |
| 204 | tion). | ||
| 205 | 204 | ||
| 206 | 2. If the login is on a tty, records login time. | 205 | 2. If the login is on a tty, records login time. |
| 207 | 206 | ||
| @@ -212,21 +211,20 @@ LOGIN PROCESS | |||
| 212 | 211 | ||
| 213 | 5. Sets up basic environment. | 212 | 5. Sets up basic environment. |
| 214 | 213 | ||
| 215 | 6. Reads the file $HOME/.ssh/environment, if it exists, and users | 214 | 6. Reads the file ~/.ssh/environment, if it exists, and users are |
| 216 | are allowed to change their environment. See the | 215 | allowed to change their environment. See the |
| 217 | PermitUserEnvironment option in sshd_config(5). | 216 | PermitUserEnvironment option in sshd_config(5). |
| 218 | 217 | ||
| 219 | 7. Changes to user's home directory. | 218 | 7. Changes to user's home directory. |
| 220 | 219 | ||
| 221 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc ex- | 220 | 8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, |
| 222 | ists, runs it; otherwise runs xauth. The ``rc'' files are | 221 | runs it; otherwise runs xauth. The ``rc'' files are given the |
| 223 | given the X11 authentication protocol and cookie in standard | 222 | X11 authentication protocol and cookie in standard input. |
| 224 | input. | ||
| 225 | 223 | ||
| 226 | 9. Runs user's shell or command. | 224 | 9. Runs user's shell or command. |
| 227 | 225 | ||
| 228 | AUTHORIZED_KEYS FILE FORMAT | 226 | AUTHORIZED_KEYS FILE FORMAT |
| 229 | $HOME/.ssh/authorized_keys is the default file that lists the public keys | 227 | ~/.ssh/authorized_keys is the default file that lists the public keys |
| 230 | that are permitted for RSA authentication in protocol version 1 and for | 228 | that are permitted for RSA authentication in protocol version 1 and for |
| 231 | public key authentication (PubkeyAuthentication) in protocol version 2. | 229 | public key authentication (PubkeyAuthentication) in protocol version 2. |
| 232 | AuthorizedKeysFile may be used to specify an alternative file. | 230 | AuthorizedKeysFile may be used to specify an alternative file. |
| @@ -329,10 +327,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 329 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 | 327 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
| 330 | 328 | ||
| 331 | SSH_KNOWN_HOSTS FILE FORMAT | 329 | SSH_KNOWN_HOSTS FILE FORMAT |
| 332 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain | 330 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host |
| 333 | host public keys for all known hosts. The global file should be prepared | 331 | public keys for all known hosts. The global file should be prepared by |
| 334 | by the administrator (optional), and the per-user file is maintained au- | 332 | the administrator (optional), and the per-user file is maintained auto- |
| 335 | tomatically: whenever the user connects from an unknown host its key is | 333 | matically: whenever the user connects from an unknown host its key is |
| 336 | added to the per-user file. | 334 | added to the per-user file. |
| 337 | 335 | ||
| 338 | Each line in these files contains the following fields: hostnames, bits, | 336 | Each line in these files contains the following fields: hostnames, bits, |
| @@ -417,7 +415,7 @@ FILES | |||
| 417 | The content of this file is not sensitive; it can be world-read- | 415 | The content of this file is not sensitive; it can be world-read- |
| 418 | able. | 416 | able. |
| 419 | 417 | ||
| 420 | $HOME/.ssh/authorized_keys | 418 | ~/.ssh/authorized_keys |
| 421 | Lists the public keys (RSA or DSA) that can be used to log into | 419 | Lists the public keys (RSA or DSA) that can be used to log into |
| 422 | the user's account. This file must be readable by root (which | 420 | the user's account. This file must be readable by root (which |
| 423 | may on some machines imply it being world-readable if the user's | 421 | may on some machines imply it being world-readable if the user's |
| @@ -427,7 +425,7 @@ FILES | |||
| 427 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, | 425 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, |
| 428 | as described in ssh-keygen(1). | 426 | as described in ssh-keygen(1). |
| 429 | 427 | ||
| 430 | /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts | 428 | /etc/ssh/ssh_known_hosts, ~/.ssh/known_hosts |
| 431 | These files are consulted when using rhosts with RSA host authen- | 429 | These files are consulted when using rhosts with RSA host authen- |
| 432 | tication or protocol version 2 hostbased authentication to check | 430 | tication or protocol version 2 hostbased authentication to check |
| 433 | the public key of the host. The key must be listed in one of | 431 | the public key of the host. The key must be listed in one of |
| @@ -435,12 +433,12 @@ FILES | |||
| 435 | verify that it is connecting to the correct remote host. These | 433 | verify that it is connecting to the correct remote host. These |
| 436 | files should be writable only by root/the owner. | 434 | files should be writable only by root/the owner. |
| 437 | /etc/ssh/ssh_known_hosts should be world-readable, and | 435 | /etc/ssh/ssh_known_hosts should be world-readable, and |
| 438 | $HOME/.ssh/known_hosts can, but need not be, world-readable. | 436 | ~/.ssh/known_hosts can, but need not be, world-readable. |
| 439 | 437 | ||
| 440 | /etc/motd | 438 | /etc/motd |
| 441 | See motd(5). | 439 | See motd(5). |
| 442 | 440 | ||
| 443 | $HOME/.hushlogin | 441 | ~/.hushlogin |
| 444 | This file is used to suppress printing the last login time and | 442 | This file is used to suppress printing the last login time and |
| 445 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- | 443 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- |
| 446 | abled. It does not suppress printing of the banner specified by | 444 | abled. It does not suppress printing of the banner specified by |
| @@ -456,7 +454,7 @@ FILES | |||
| 456 | Access controls that should be enforced by tcp-wrappers are de- | 454 | Access controls that should be enforced by tcp-wrappers are de- |
| 457 | fined here. Further details are described in hosts_access(5). | 455 | fined here. Further details are described in hosts_access(5). |
| 458 | 456 | ||
| 459 | $HOME/.rhosts | 457 | ~/.rhosts |
| 460 | This file is used during RhostsRSAAuthentication and | 458 | This file is used during RhostsRSAAuthentication and |
| 461 | HostbasedAuthentication and contains host-username pairs, sepa- | 459 | HostbasedAuthentication and contains host-username pairs, sepa- |
| 462 | rated by a space, one per line. The given user on the corre- | 460 | rated by a space, one per line. The given user on the corre- |
| @@ -469,7 +467,7 @@ FILES | |||
| 469 | user name may be of the form +@groupname to specify all hosts or | 467 | user name may be of the form +@groupname to specify all hosts or |
| 470 | all users in the group. | 468 | all users in the group. |
| 471 | 469 | ||
| 472 | $HOME/.shosts | 470 | ~/.shosts |
| 473 | For ssh, this file is exactly the same as for .rhosts. However, | 471 | For ssh, this file is exactly the same as for .rhosts. However, |
| 474 | this file is not used by rlogin and rshd, so using this permits | 472 | this file is not used by rlogin and rshd, so using this permits |
| 475 | access using SSH only. | 473 | access using SSH only. |
| @@ -505,7 +503,7 @@ FILES | |||
| 505 | file may be useful in environments that want to run both | 503 | file may be useful in environments that want to run both |
| 506 | rsh/rlogin and ssh. | 504 | rsh/rlogin and ssh. |
| 507 | 505 | ||
| 508 | $HOME/.ssh/environment | 506 | ~/.ssh/environment |
| 509 | This file is read into the environment at login (if it exists). | 507 | This file is read into the environment at login (if it exists). |
| 510 | It can only contain empty lines, comment lines (that start with | 508 | It can only contain empty lines, comment lines (that start with |
| 511 | `#'), and assignment lines of the form name=value. The file | 509 | `#'), and assignment lines of the form name=value. The file |
| @@ -513,7 +511,7 @@ FILES | |||
| 513 | anyone else. Environment processing is disabled by default and | 511 | anyone else. Environment processing is disabled by default and |
| 514 | is controlled via the PermitUserEnvironment option. | 512 | is controlled via the PermitUserEnvironment option. |
| 515 | 513 | ||
| 516 | $HOME/.ssh/rc | 514 | ~/.ssh/rc |
| 517 | If this file exists, it is run with /bin/sh after reading the en- | 515 | If this file exists, it is run with /bin/sh after reading the en- |
| 518 | vironment files but before starting the user's shell or command. | 516 | vironment files but before starting the user's shell or command. |
| 519 | It must not produce any output on stdout; stderr must be used in- | 517 | It must not produce any output on stdout; stderr must be used in- |
| @@ -548,9 +546,9 @@ FILES | |||
| 548 | readable by anyone else. | 546 | readable by anyone else. |
| 549 | 547 | ||
| 550 | /etc/ssh/sshrc | 548 | /etc/ssh/sshrc |
| 551 | Like $HOME/.ssh/rc. This can be used to specify machine-specific | 549 | Like ~/.ssh/rc. This can be used to specify machine-specific lo- |
| 552 | login-time initializations globally. This file should be | 550 | gin-time initializations globally. This file should be writable |
| 553 | writable only by root, and should be world-readable. | 551 | only by root, and should be world-readable. |
| 554 | 552 | ||
| 555 | SEE ALSO | 553 | SEE ALSO |
| 556 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 554 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
| @@ -573,4 +571,4 @@ AUTHORS | |||
| 573 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 571 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 574 | for privilege separation. | 572 | for privilege separation. |
| 575 | 573 | ||
| 576 | OpenBSD 3.7 September 25, 1999 9 | 574 | OpenBSD 3.8 September 25, 1999 9 |